Rawhide users vulnerable to man-in-the-middle attacks?

Kevin Fenzi kevin at scrye.com
Mon Apr 28 04:10:20 UTC 2014


On Sun, 27 Apr 2014 17:36:57 -0700
quickbooks office <quickbooks.office at gmail.com> wrote:

> If the packages in Rawhide are not signed aren't rawhide users
> vulnerable to man-in-the-middle attacks?

Well, not trivially in the default configuration. 

By default, yum is set to get a metalink from mirrormanager via https. 
In this metalink is a list of mirrors and checksum of the repomd.xml
file. I haven't tested for sure, but if the ssl cert doesn't validate,
I think yum will error out here. If you are using a dnssec enabled
resolver, you will be sure to get the right host. 

Next it goes to the first mirror in the list and gets the repomd.xml
file (usually via http). However, if the file doesn't match the
checksum, it will not use it and try the next mirror. 

Next it gets the other repomd files it needs, but they are all checked
against checksums in the repomd.xml file and if tampered with yum won't
use them. 

Those files include the primary one that has sha256sums for all
packages. If a downloaded package doesn't match the checksum it will
think it has a bad download and not continue.

> Worse it also allows mirrors to send out malicious packages to certain
> users, as the package will not be checked by the end user?

At least using the metalink, yum should see the checksum on this package
doesn't match and assume it was corrupt. 

> I really think all the packages in Rawhide should be signed before
> being pushed out the end user.

If it was simple to do we would have done it. ;) 

See Bruno's link to the releng ticket discussing this... 

kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140427/f5572b02/attachment.sig>


More information about the devel mailing list